Package org.keycloak.protocol.saml
Class SamlProtocol
java.lang.Object
org.keycloak.protocol.saml.SamlProtocol
- All Implemented Interfaces:
LoginProtocol
,Provider
- Direct Known Subclasses:
TokenEndpoint.TokenExchangeSamlProtocol
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.protocol.LoginProtocol
LoginProtocol.Error
-
Field Summary
Modifier and TypeFieldDescriptionprotected ArtifactResolver
static final String
static final String
static final String
protected EventBuilder
protected jakarta.ws.rs.core.HttpHeaders
protected static final org.jboss.logging.Logger
static final String
protected RealmModel
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
protected KeycloakSession
protected SingleUseObjectProvider
protected jakarta.ws.rs.core.UriInfo
static final String
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionjakarta.ws.rs.core.Response
authenticated
(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) jakarta.ws.rs.core.Response
backchannelLogout
(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected String
buildArtifactAndStoreResponse
(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) protected String
buildArtifactAndStoreResponse
(SAML2Object statusResponseType, UserSessionModel userSession) protected jakarta.ws.rs.core.Response
buildArtifactAuthenticatedResponse
(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token sends the artifact message via post or redirect.protected jakarta.ws.rs.core.Response
buildAuthenticatedResponse
(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) protected jakarta.ws.rs.core.Response
buildErrorResponse
(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) protected jakarta.ws.rs.core.Response
buildLogoutArtifactResponse
(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token, sends the artifact message via post or redirect.protected jakarta.ws.rs.core.Response
buildLogoutResponse
(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) void
close()
protected LogoutRequestType
createLogoutRequest
(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) jakarta.ws.rs.core.Response
finishBrowserLogout
(UserSessionModel userSession, AuthenticationSessionModel logoutSession) This method is called when browser logout is going to be finished.jakarta.ws.rs.core.Response
frontchannelLogout
(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) getClientData
(AuthenticationSessionModel authSession) Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests.static String
getLogoutServiceUrl
(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) protected String
getNameId
(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) protected String
getNameIdFormat
(SamlClient samlClient, AuthenticationSessionModel authSession) protected String
getPersistentNameId
(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows: saml.persistent.name.id.for.$clientId user attribute saml.persistent.name.id.for.* user attribute G-$randomUuidprotected String
getResponseIssuer
(RealmModel realm) protected String
getSAMLNameId
(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected boolean
isLogoutPostBindingForClient
(AuthenticatedClientSessionModel clientSession) static boolean
protected boolean
isPostBinding
(AuthenticatedClientSessionModel clientSession) protected boolean
isPostBinding
(AuthenticationSessionModel authSession) populateAttributeStatements
(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) void
populateRoles
(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) boolean
requireReauthentication
(UserSessionModel userSession, AuthenticationSessionModel authSession) jakarta.ws.rs.core.Response
sendError
(ClientModel client, ClientData clientData, LoginProtocol.Error error) Send the specified error to the specified client with the use of this protocol.jakarta.ws.rs.core.Response
sendError
(AuthenticationSessionModel authSession, LoginProtocol.Error error, String errorMessage) setEventBuilder
(EventBuilder event) setHttpHeaders
(jakarta.ws.rs.core.HttpHeaders headers) setRealm
(RealmModel realm) setSession
(KeycloakSession session) setUriInfo
(jakarta.ws.rs.core.UriInfo uriInfo) transformLoginResponse
(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) static boolean
useArtifactForLogout
(ClientModel client) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.keycloak.protocol.LoginProtocol
sendPushRevocationPolicyRequest
-
Field Details
-
ATTRIBUTE_TRUE_VALUE
- See Also:
-
ATTRIBUTE_FALSE_VALUE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE
- See Also:
-
SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE
- See Also:
-
LOGIN_PROTOCOL
- See Also:
-
SAML_BINDING
- See Also:
-
SAML_IDP_INITIATED_LOGIN
- See Also:
-
SAML_POST_BINDING
- See Also:
-
SAML_ARTIFACT_BINDING
- See Also:
-
SAML_SOAP_BINDING
- See Also:
-
SAML_REDIRECT_BINDING
- See Also:
-
SAML_REQUEST_ID
- See Also:
-
SAML_REQUEST_ID_BROKER
- See Also:
-
SAML_LOGOUT_BINDING
- See Also:
-
SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO
- See Also:
-
SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER
- See Also:
-
SAML_LOGOUT_REQUEST_ID
- See Also:
-
SAML_LOGOUT_RELAY_STATE
- See Also:
-
SAML_LOGOUT_CANONICALIZATION
- See Also:
-
SAML_LOGOUT_BINDING_URI
- See Also:
-
SAML_LOGOUT_SIGNATURE_ALGORITHM
- See Also:
-
SAML_NAME_ID
- See Also:
-
SAML_NAME_ID_FORMAT
- See Also:
-
SAML_DEFAULT_NAMEID_FORMAT
-
SAML_PERSISTENT_NAME_ID_FOR
- See Also:
-
SAML_IDP_INITIATED_SSO_RELAY_STATE
- See Also:
-
SAML_IDP_INITIATED_SSO_URL_NAME
- See Also:
-
SAML_LOGIN_REQUEST_FORCEAUTHN
- See Also:
-
SAML_FORCEAUTHN_REQUIREMENT
- See Also:
-
SAML_LOGOUT_INITIATOR_CLIENT_ID
- See Also:
-
USER_SESSION_ID
- See Also:
-
CLIENT_SESSION_ID
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
session
-
realm
-
uriInfo
protected jakarta.ws.rs.core.UriInfo uriInfo -
headers
protected jakarta.ws.rs.core.HttpHeaders headers -
event
-
artifactResolver
-
singleUseStore
-
-
Constructor Details
-
SamlProtocol
public SamlProtocol()
-
-
Method Details
-
setSession
- Specified by:
setSession
in interfaceLoginProtocol
-
setRealm
- Specified by:
setRealm
in interfaceLoginProtocol
-
setUriInfo
- Specified by:
setUriInfo
in interfaceLoginProtocol
-
setHttpHeaders
- Specified by:
setHttpHeaders
in interfaceLoginProtocol
-
setEventBuilder
- Specified by:
setEventBuilder
in interfaceLoginProtocol
-
sendError
public jakarta.ws.rs.core.Response sendError(AuthenticationSessionModel authSession, LoginProtocol.Error error, String errorMessage) - Specified by:
sendError
in interfaceLoginProtocol
-
getClientData
Description copied from interface:LoginProtocol
Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain all the data to be able to send such response. For instance redirect-uri, state in case of OIDC or RelayState in case of SAML etc.- Specified by:
getClientData
in interfaceLoginProtocol
- Parameters:
authSession
- session from which particular clientData can be retrieved- Returns:
- client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests
-
sendError
public jakarta.ws.rs.core.Response sendError(ClientModel client, ClientData clientData, LoginProtocol.Error error) Description copied from interface:LoginProtocol
Send the specified error to the specified client with the use of this protocol. ClientData can contain additional metadata about how to send error response to the client in a correct way for particular protocol. For instance redirect-uri where to send error, state to be used in OIDC authorization endpoint response etc. This method is usually used when we don't have authenticationSession anymore (it was removed or expired) as otherwise it is recommended to use#sendError(AuthenticationSessionModel, Error)
NOTE: This method should also validate if provided clientData are valid according to given client (for instance if redirect-uri is valid) as clientData is request parameter, which can be injected to HTTP URLs by anyone.- Specified by:
sendError
in interfaceLoginProtocol
- Parameters:
client
- client where to send errorclientData
- clientData with additional protocol specific metadata needed for being able to properly send error with the use of this protocolerror
- error to be used- Returns:
- response if error was sent. Null if error was not sent.
-
buildErrorResponse
protected jakarta.ws.rs.core.Response buildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException -
getResponseIssuer
-
isPostBinding
-
isPostBinding
-
isLogoutPostBindingForInitiator
-
isLogoutPostBindingForClient
-
getNameIdFormat
-
getNameId
protected String getNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) -
getPersistentNameId
protected String getPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows:- saml.persistent.name.id.for.$clientId user attribute
- saml.persistent.name.id.for.* user attribute
- G-$randomUuid
If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.
- Returns:
- the user's persistent NameId
-
authenticated
public jakarta.ws.rs.core.Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) - Specified by:
authenticated
in interfaceLoginProtocol
-
buildAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException -
populateAttributeStatements
public AttributeStatementType populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
transformLoginResponse
public ResponseType transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
populateRoles
public void populateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) -
getSAMLNameId
protected String getSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
getLogoutServiceUrl
public static String getLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) -
useArtifactForLogout
-
frontchannelLogout
public jakarta.ws.rs.core.Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
frontchannelLogout
in interfaceLoginProtocol
-
finishBrowserLogout
public jakarta.ws.rs.core.Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) Description copied from interface:LoginProtocol
This method is called when browser logout is going to be finished. It is not triggered during backchannel logout- Specified by:
finishBrowserLogout
in interfaceLoginProtocol
- Parameters:
userSession
- user session, which was logged outlogoutSession
- authentication session, which was used during logout to track the logout state- Returns:
- response to be sent to the client
-
buildLogoutResponse
protected jakarta.ws.rs.core.Response buildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException -
backchannelLogout
public jakarta.ws.rs.core.Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
backchannelLogout
in interfaceLoginProtocol
-
createLogoutRequest
protected LogoutRequestType createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) throws ConfigurationException - Throws:
ConfigurationException
-
requireReauthentication
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) - Specified by:
requireReauthentication
in interfaceLoginProtocol
- Returns:
- true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
-
close
public void close() -
buildArtifactAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token sends the artifact message via post or redirect.- Parameters:
clientSession
- the current authenticated client sessionredirectUri
- the redirect uri to the clientsamlDocument
- a Document containing the saml ResponsebindingBuilder
- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ConfigurationException
ProcessingException
IOException
-
buildLogoutArtifactResponse
protected jakarta.ws.rs.core.Response buildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token, sends the artifact message via post or redirect. This method is only to be used for the final LogoutResponse.- Parameters:
userSession
- The current user session being logged outredirectUri
- the redirect uri to the clientstatusResponseType
- a Document containing the saml ResponsebindingBuilder
- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ProcessingException
IOException
ConfigurationException
-
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) throws ArtifactResolverProcessingException, ConfigurationException, ProcessingException -
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) throws ArtifactResolverProcessingException, ProcessingException, ConfigurationException
-